Skip to navigation
   
Simon Bisson & Mary Branscombe's Blog
RSS

Spam Fighting in Exchange

By Simon Bisson & Mary Branscombe in Editorial

Posted in Spam, Email on August 6, 2008 at 9:09 am

Permalink | Author Profile

How can you fight spam with one of the most common email servers out there? After all, surely that should mean it’s an easy play for the spammers, with enough holes to get every V1agr4 advert and pump-and-dump scam into your users’ mailboxes.

It turns out it isn’t - and that the built-in tools are effective spam blockers.

If you’re not using Exchange 2007 Content Filter (or Exchange 2007’s Intelligent Message Filter) turn them on. This is one of the most effective weapons in your arsenal. It’s regularly updated, and it scans messages for common spam formats. Mesages are categorised and given spam ratings, which you can use to reject, quarantine, or file messages in users’ Junk Mail folders. CF is surprisingly easy to use - set it up, set the basic filtering rules, and then occasionaly check your quarantine mail box for false positives.

Exchange 2007 has even added whitelisting for persistently filtered false positives. Once a domain is whitelisted, there’s no more delving in the spam folders for Twitter invites or press releases from Kaspersky and Sophos.

I’d been running my server like that for some time, when I discovered another trick that turned out to make a huge difference. Exchange actually supports using real-time block lists (RBLs), which are lists of spam IP addresses hosted by services like SpamCop and Spamhaus. It’s trivially easy to add new block lists to Exchange - just find the lookup address on the block list site (Spamhaus’ is zen.spamhaus.org), and add it and the provider name in the Block List Provider section of Exchange’s anti-spam tools.

Without RBL support turned on I was getting 500 or so spam messages in my quarantine a day, making it hard to filter out the few false positives. With it on, I’m down to less than 100. Managing my spam is a lot easier - and with whitelisting, I’m having to look in the spam folder a lot less often…

–Simon

12345
Not yet rated
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Serge Fernell - August 6, 2008 on 9:53 am

NOTE CORRECTION: Spamhaus RBL (by far the most reliable and most effective of all) is: zen.spamhaus.org (the one mentioned in the article, sbl.spamhaus.org, is just one part of ZEN, you need to be using tive of all) is: zen.spamhaus.org if you want proper spam filtering)

Comment by Simon Bisson & Mary Branscombe - August 6, 2008 on 10:10 am

Thanks for that! I’ll amend the post accordingly…

…and update my mail server!

Comment by Jason - August 8, 2008 on 11:47 am

Interesting point about the Exchange 2007 Content Filter, we are currently running Mailsweeper and I wonder if the functionality of the built-in Exchange Filter is comparable?

RBL can be very useful for keeping a large majority of unwanted mail out but before implementing something like this a business has to be fully aware of the implications - especially from the risk of false negatives. I.e. genuine mail that fails to get through.

From time to time a valid sender can appear on a RBL through little fault of their own and the RBL filter will simply reject them - whilst many of these are probably unwanted anyway there is always the possibility of a customer order being lost. If that customer is an important customer they are unlikely to take kindly to an outright rejection of mail. We discovered this lesson the hard way. In the times we have experienced this with trading partners the sender has been unaware at the point of sending an email that they are on a blacklist.

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

remove back Volume Shadow Copy people Fire Eagle licensing troubleshooting education backhaul toshiba GPU M&A Verbatim Vista maps nvision08 Intel demo09 data loss isp multiple monitors DOSBox Girl Geek Dinners security theatre UMPC public cloud regulation pixetell safend Tim Berners-Lee CERN cables enterprise architecture colossus futura RAZR Internet iPhone MRDA electricity price SSD Safari AskEraser Ray Ozzie RSS search RIM uninstall business technology automation OFCOM patent Ruby On Rails bug Lenovo secure rich client HP Crossfader sun rc netbook windows server 2008 r2 aws upgrade information cards voice goview geek tourism security paradox geotagging ontier 2009 Wimbledon project data centre timezones no signal teched O2 IDF task bar beta test search netbooks MacWorld 2008 disk space IBM green IT Gears IT value legislation ec2 browser cracking legacy phone management business intelligence Itanium data tariff CES encryption CTO AuthenTec office performance competition exchange Opteron Tablet PC Google Spreadsheets DisplayLink augmented reality parallel computing MacBook Air congestion charge iPass MAX power Vodafone mobile mythbusters ubuntu Magny-Cours consolidation virus GPS machine learning conference design calit2 SMB 2 innovation Nokia enterprise netiquette software SKU outlook Seagate national museum of computing spam information BlackBerry evernote Google Sets ATI mms 2009 streaming media switch Enterprise 2.0 Tablet Kiosk NGSCB NexT flash Facebook insert SIM market share VSSAdmin malware Mozilla Windows Server 2008 Nuance twitter high performance computing WinHEC yahoo lockdown phone settings Protected View WEI regulations bombe service oriented enterprise downturn thin client wifi mobile broadband business continuity cloud media Tom Hogan relocation ikea HSDPA 965 microsoft research macro tennis trends power cuts windows 7 Palladium october police processors active digitiser microsoft security essentials co-processor social engineering visualisation webkit hierarchical temporal memory geneva Eee PC isps venture capital Delphi hardware user interface MING gabriola mobile working server whitelist transcoding xT9 Xobni dual boot data loss prevention Numenta mscape productivity Toshiba Portege R500 ucsd hibernation anti-patterns offload TSA mainframe winhec2008 dual display database Credentica instant messaging ports Pal firewall christmas IIW2008b business cosmic rays DOS vulnerabilities accessories traffic images camera g-2 Tombstone Objects Active Directory IM HMT Express Gate pen computing Chrome office 2010 hdmi management bea bletchley park Ruby Frauenhofer NVIDIA office politics Smartbook HTC developer mobile ofcom network bandwidth wave email d2c annotation target hard drive power supply ruggedized storage Corsair display ClipMate turing RSA 2008 drivers .NET ribbon Acrobat Pro Windows 7 vs Windows Vista Tripit HTML 5 Trolltech old software CPU semiotics Mercury T9 wildfire migration accelerator green printing telecoms citrix disk navteq TouchSmart monitor social networking usb ipv6 Large Hadron Collider claims catalyst moscow BBC natural interface Visual Studio Apple Windows Live Dopplr atom business technology optimisation mash-up keyboard numbers identity theft advertising spam fighting emulator Adobe Bill Gates Salesforce community mysql pre-boot ADFS 2.0 Skyfire wireless USB applications bolt how do I get the back off? connectivity LiveID magic mobile network desktop. PC virtual desktop GPL EEE html IT policy cloud service google online applications OQO amherst fibre international roaming Opsware Loki fault NAS city business model appstore rtm disaster recovery IT automation macbook cloud computing Wyse future in review server sprawl direct access support mobility Dell web 2.0 expo Motorola identity metasystem beta Ask.com cellcrypt Silverlight anti-trust cisco mapping Bing windows DLP gamer Live Mesh politics utilities fingerprint Mark Hurd benchmark OpenID Greasemoneky network CUDA MIX08 Xen verdana deborah adler MWC culture user experience identitity fingerprint scanner conferences QWERTY Netscan Firefox wes patch Tuesday Jeff Hawkins RBL CardSpace security power saving Opera distributed computing infrastructure virtualisation open oracle WPF Moonlight clean install biometrics thermo WWW SP1 deperimeterization pgp icons griffin gaming MIX hyper-v data centre transformation RIA workflow Google IO cam exabytes forensics flash drive BES mobile Linux eu analytics DSL SapphireSteel hp microsoft research history Treo Pro Beacon Previous Versions android SBS IO meaning web2expo tele atlas training 3G EMC terabytes bugs amazon AIR FUD information rights management Trend Micro quiz CIO laptop Gartner radeon ProCurve Trampoline ANR Google designer networks Reqall vmware open source bbc iplayer apps codec video Jeff Jones application compatibility adfs BT Qualcomm system management IT transformation Microsoft merger p2v fonts appzero geocaching flex Hp 2710p Java Linux system center setup Internet Explorer lost server Asus 64-bit LHC Embarcadero Mini-Note Bill Cheswick Istanbul private cloud Mono Secunia todo list Windows Mobile etech Internet Explorer 8 media center wubi docking station TechEd 2008 moblin hacking Palm screencam ultraportable fire context greenplum Web 2.0 anti-virus navigation voice recognition gameboard Sony Clear RX robot london mobile data tariffs web lawsuit control panel O'Reilly screen battery life Netscape hold music Barracuda data g-1 ipsec BitLocker case installation credit crunch AMD dvi OEM interoperability optical interconnects demo collaboration ballmerbot Quest privacy smartphone 2.0 Location tablet Windows Server T-Mobile Hugh Thompson logitech routing cold fusion i-mate it pro utility development acquisitions HSPA installer
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement